Researcher discovers targeted iPhone app "kill switch"

A mobile development author has discovered a mechanism in Apple's iPhone software that would allow the company to blacklist and remotely deactivate installed apps that have been purchased and installed by users.

The kill switch would offer Apple a more targeted weapon to snuff out offending apps than its existing capacity to revoke a developer's signing certificate, an action that could ultimately be used to shut down every application being distributed by a developer. The more accurate aim of the new system may leave the company less hesitant to use it in rooting out apps it finds undesirable.

Jonathan Zdziarksi's iPhone Open Application Developmentindicates that the CoreLocation framework in the iPhone 2.0 (as well as the updated iPod touch firmware) points to a secure website that appears to contain at least placeholder code for a list of "unauthorized" apps.

While it's unclear as to whether or not the operating system consults this site often or at all, its existence hints to Zdziarski the possibility of a kill switch that would give Apple final say over an app's ability to run, effectively putting all of the handheld devices under watch as long as they have an Internet connection.

"This suggests that the iPhone calls home once in a while to find out what applications it should turn off," he says. "At the moment, no apps have been blacklisted, but by all appearances, this has been added to disable applications that the user has already downloaded and paid for, if Apple so chooses to shut them down."

The finding expands upon Apple's previously recognized capability to revoke developer's certificates in order to prevent execution of their apps, a power also held by other platforms that have the capacity for mandatory certificate signing, including the Symbian OS 9.1 or greater in use by Nokia as well as RIM's BlackBerry OS.

As part of the security architecture for its mobile WiFi platform, as outlined by Apple chief Steve Jobs in October of last year, the iPhone SDK requires that each app that is made available through the App Store be signed by a security certificate, issued by Apple and unique to the developer. The iPhone refuses to run unsigned apps unless its security system has been defeated by jailbreaking.

The most obvious purpose of requiring that all iPhone apps be signed is that it allows Apple to selectively approve developers and the apps that are distributed through the Apps Store. However, as the iPhone's certificate signing authority, Apple has always had the option of retroactively revoking certificates at any stage and rendering programs unusable. In order for this to happen, the iPhone would only need to consult Apple's servers to gain an updated list of revoked certificates. Once a developer's certificate was revoked, none of their signed apps would run, just as is the case with unsigned apps.

That type of control over third party apps has stirred controversy on other platforms before, as it demands full and complete trust in the company managing the certificate authority to behave fairly and in the interests of users. Apple, RIM, and others could theoretically abuse their control to revoke rights for competitors' apps, or to punish developers for arbitrary reasons. Microsoft's Palladium project, which hoped to convert the PC into a similarly secured platform, failed because the industry as a whole did not trust Microsoft to exercise the vast power it would gain over the entire PC hardware market.

Apple has described its certificate signing program as a means of securing iPhones and iPods against viruses, spyware, malware, and material determined to be indecent. However, since the Apps Store opened nearly a month ago, the company has also pulled a few apps from the store, such as Nullrivers' NetShare, either without stating any reason or because those apps were found in violation of Apple's policies. In the case of NetShare, it appears Apple removed the app from the store in order to appease AT&T, which does not support Internet sharing tethering on the iPhone data plan.

While Apple has pulled apps from the store, it has not yet revoked any known developer's certificate, a move that would kill all their apps and could potentially prevent them from running on mobile devices after their purchase and installation. Certificate revocation would likely only be used by Apple in an emergency case, where signed apps in the wild were found to be malicious after the fact.

However, Zdziarski's findings suggest that Apple could use a more targeted blacklist site as a kill switch to disable specific apps. This mechanism could similarly be used to stop malicious malware, disabling viral apps before they have an opportunity to spread out of control. It could also be used by Apple to give IT managers the ability to remotely disable apps from their employees' phones. Apple has already outlined plans for delivering custom corporate app deployment through a local version of the iTunes App Store. Being able to both remotely install and remove apps from mobile devices would be a highly desirable feature for IT managers in high security environments.

Apple has so far not exercised any of its revocation powers. Despite having removed apps from sale in the store, the company has yet to disable any apps that have been installed by users. A test item on the unauthorized apps list Zdziarski discovered is described as "malicious," suggesting that the Cupertino-based company behind the list is at least currently interested more in stamping out threats to its customers than it is policing the software on users' phones.